Just to get you correct: You want that domain members don't change their MACHINE account password (not the USER account passwords), as that is what the "refuse machine password change" policy is for. Correct?

Looks like NT_STATUS_ACCOUNT_RESTRICTION is wrong status code.
According to http://support.microsoft.com/kb/154501
"future attempts to change the password are prevented (by returning a distinct status code)."
but machines try to change password again and again...